ninjamiefandomcom-20200214-history
Captive Portal
HTTP or HTTP traffic that comes from an IP address that has no user data associated with it. Users are directed to the portal and authenticated, thereby creating a user-to-IP mapping. This is used in conjunction with User-ID Agent. Web-Form = Presents a captive portal page for the user to explitictly enter authentication credentials. *Firewall authenticates users via the configured Server Profile. Either RADUIS, LDAP, Kerberos, or Local FW database *Allowed 3 log in attempts *This is the only option for ALL NON-Microsoft clients. No-Captive-Portal = Allows traffic to pass without presenting a captive portal page for authentication. Browser-Challenge = Transparent. Open an NTML (NT LAN Manager) authentication requests to the user's web browser. The web browser will respond using the user's current login credentials thats communicated to the Domain Controller. *Browser is sent a 302 error (NTML host name) redirecting to an interface on the firewall. Then firewall sends browser a 401 error. Brwoser sends NTLM auth which is the passed to a User-ID agent and redirected back to original address. *The Windows account you create for NTLM access must have admin privileges. *IF have multiple vsys, only vsys1 will be able to join the domain *IF the browser is not performing NTML authentication or if the authentication fails, this method will fall back to web-form based Captive Portal and will redirect to a log on page Several methods to ID users: *Active Directory Agent (PAN Agent) *LDAP Agent (User-ID Agent) *User-ID API *Direct authentication to FW (SSL VPN) 'CHECK LIST:' #'ENABLE CAPTIVE PORTAL:' #*Make sure User ID is enabled on the ingress zone #*Device -> User ID -> Captive Portal Settings Tab -> ENABLE checkbox #*'Device -> User ID -> User Mapping Tab -> Enable NTLM Authentication Processing (if using NTLM action) #*Device -> Response Pages -> Captive Portal Comfort Page (make sure one is selected) #*Network -> Network Profiles -> Interface MGMT (Enable Response Page) #'CONFIGURE CAPTIVE PORTAL SETTINGS:' #*Device -> User ID -> Captive Portal Settings Tab #*Self signed Cert is fine #*Device -> Authentication profile -> add (Specify authentication method EX: LDAP) #'CAPTIVE PORTAL POLICIES:' #*Policies -> Captive Portal #*Policies -> Security 'NTLM CHECK LIST: ' *A User-ID Agent should be running in the network *the web browser should support NTLM. Internet explore works *Enable User Identification on the applicable zone (Network -> Zone) *Redirect method is recommended for NTLM Authentication *Check Captive Portal Rules allow the source users (NTLM = Windows NT LAN Manager = challenge-response mechanism for authentication, clients are able to provide identities without sending a pw to the server) 'Layer 3 CHECK LIST:' *IP address or hostname of an Layer 3 interface on the firewall *user-id is enabled on the zone users are coming from. *Session Cookie enabled (Device -> User ID -> Captive Portal Settings Tab) *IF using redirect mode, create a Management Profile for the response page **Apply to the interface to which the Captive Portal will be redirected. *Configure Captive Portal Rules (Policies -> Captive Portal) **Authenticating users from Trust zone to Untrust Zone. **Select 'captive portal' for authentication method. **if required add source and destination IP addresses *Configure Security Rule to only allow known uesrs to access the internet: **Rule 1: Trust to Untrust for all users for application DNS allow. **Rule 2: Trust to Untrust for all known users for any application allow. **Rule 3: Trust to Untrust for all unknown users for any application deny. *Commit. 'Layer 2 CHECK LIST:' *Web-form and NTLM authentication requires a Layer 3 ip addressed interface on the firewall. *IF the firewall is operating as L2, the IP address of the CP/NTLM challenge must be part of the same L2 network. This is accomplished by configuring a VLAN interface on the firewall. This VLAN will be used for all Captive Portal functions. '1. ENABLE CAPTIVE PORTAL:' Network -> Network Profiles -> Interface MGMT '''''For SITE to SITE VPN - (PAN to PAN) EX: PAN1 => VPN => PAN2 => Captive Portal => Internet *Enable the Response Page option in the Management Profile **For site to site VPN: add the Management Profile to the Tunnel interface. This would be the interface associated with the IPSec VPN on the firewall configured with Captive Portal (which is PAN2 in tihs example) '2. CONFIGURE CAPTIVE PORTAL SETTINGS:' Device -> User ID -> Captive Portal Settings Tab Select to ENABLE the Cative Portal option for authentication. *''Location ''= Select the virtual system from the drop-down list (if supported on the unit) *''Idle Timer'' = The length of time after which the Captive Portal page times out. **(1-1440 minutes, default is 15 mins) *''Expiration'' = The timeout interval **(1-1440 minutes, default is 60 mins) *''Redirect Host ''= The hostname used for the HTTP redirect when initiating the NTLM challenge sent the client. *''Server Certificate'' = Select the HTTP SSL certificate used for captive portal. **any self signed cert will work. **if NONE = the firewall will use the local default certificate to provide the SSL connection, "secure web gui". *''Authentication Profile'' = Profile used to determine the authentication source for Captive Portal Logins. *''Certificate Profile'' = Certificate Profile to use for the client authentication. *'Mode' **''Transparent'' = allows users who are already identified by the firewall (user/ip mapping) to access network resources without an additional authentication step. **''Redirect ''= Required for NTLM and session cookie retention. The firewall can set a cookie for future login requests. The future redirection then becomes transparent to the user if the browser has not be closed. ***''Session cookie ''= Enable to configure an interval after which the redirection times out. ***''Timeout ''= 60-10,080 minutes. Default is 24 hours/1440 minutes. ***''Roaming'' = Enable to retain the cookie if the IP address changes while the browser is OPEN. ****If the browser closes, the cookie is lost regardless if Roaming is enabled or not. ***''(Network -> Network Profiles -> Interface Management) Response pages'' must be enabled on the interface Management Profile assigned to the Layer 3 interface to which you are redirecting the active portal. *''NTLM Authentication'' = these options apply to the USER-ID Agent installed on domain servers and does NOT apply to the PAN-OS User-ID feature configured in the 'User Mapping' tab **''Attempts'' = Number of attempts after which the NTLM authentication fails. **''Timeout'' = The number of seconds after which the NTLM authentication times outs. **''Reversion Time'' = The time ater which the firewall will try again to contact the first agent in the list of User-ID Agents after the agent becomes unavailable. '3. CAPTIVE PORTAL POLICIES' Policies -> Captive Portal A security Policy needs to be matched first before the session is redirected to the Captive Portal. If a Deny policy is matched, the packets will be dropped and the session will not be redirected to the Captive Portal. *Web-browsing and DNS must be allowed. (CP page uses port 80) *DNS query is needed for URL look up. This action spawns the CP redirect. *CP uses SSL to connect on ports 6080 and 6081 not 443. 'COMMANDS:' To reset any Captive Portal session (the client will have to authenticate again): *''debug user-id reset captive-portal ip-address '' To Check the Captive Portal Log: *''less mp-log appweb3-l3svc.log'' Captive Portal session counter can be viewed through Global Counter: *''show counter global | match session_svc'' *EX of output for Captive portal port (6080) and captive portal zone (N/A/): 1449020/1 10.16.2.1121103/l2-lan-trust/6 72.240.47.706080/N/A ssl ACTIVE FLOW ND 1449021/1 10.16.2.1121102/l2-lan-trust/6 72.240.47.7080/N/A web-browsing ACTIVE FLOW ND View the session ID: *''show session id <######>'' *EX output: application : ssl rule : captive-portal session to be logged at end : no session in session ager : yes session sync'ed from HA peer : no address/port translation : destination layer7 processing : enabled URL filtering enabled : no session terminated on host : yes captive portal session : yes 'Common Issues' 'ISSUE: Captive Portal Redirect loop:' User is getting CP login again after authenticating the login page. Solution: '''Issue occurs when the user-identification is not enabled on the zones that are used in the captive portal. '''ISSUE: Confirgured for NTLM Captive Portal. When an unknown user attempts to access the CP page they are able to authenticate however the original user-intended destination site does not load, a connection timeout message appears instead Solution: (Network -> Network Profiles -> Interface Mgmt) Response Page was not enabled on the redirected interface. Tech Documents HOW TO CONFIGURE CAPTIVE PORTAL: https://live.paloaltonetworks.com/docs/DOC-1159 HOW TO CONFIGURE IN LAYER 3: https://live.paloaltonetworks.com/docs/DOC-1630